basessh/distgit: adjust the way ssh is configured for distgit
Basically, we are now installing a small wrapper in /usr/local/bin which just echoes to stdout what should be in the authorized_keys file for that user. That content is generated by retrieving the ssh key from sssd via the command sss_ssh_authorizedkeys as well as the usual ssh way to restrict the action an user/key can do: command="...". In this case, we're setting a couple of environment variable that are needed later on for things to work properly as well as only allow the user to call the aclchecker.py script provided by pagure. Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon
parent
0597180571
commit
67844b4504
3 changed files with 24 additions and 0 deletions
7
roles/distgit/files/ssh_wrapper
Normal file
7
roles/distgit/files/ssh_wrapper
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
/usr/bin/sss_ssh_authorizedkeys $1 | while read -r key
|
||||
do
|
||||
echo "command=\"PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git/ /usr/libexec/pagure/aclchecker.py $1\", $key"
|
||||
done
|
||||
|
||||
|
|
@ -106,6 +106,18 @@
|
|||
tags:
|
||||
- distgit
|
||||
|
||||
# -- SSH
|
||||
# We use a wrapper to let packager ssh in while restricting the command they can
|
||||
# do, this installs that wrapper (which is otherwise configured in sshd_config)
|
||||
|
||||
- name: install the ssh_wrapper wrapper script
|
||||
copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755
|
||||
tags:
|
||||
- config
|
||||
- distgit
|
||||
- ssh
|
||||
- basessh
|
||||
|
||||
# -- Dist Git --------------------------------------------
|
||||
# This is the Git setup itself: group, root directory, scripts,...
|
||||
- name: install dist-git
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue